CVE-2026-23613

Name of the Vulnerable Software and Affected Versions GFI MailEssentials AI versions prior to 22.4

Description GFI MailEssentials AI versions before 22.4 have a stored cross-site scripting issue in the URI DNS Blocklist configuration page. A logged-in user can inject HTML or JavaScript code into the ctl00$ContentPlaceHolder1$pv1$TXB URIs parameter of the '/MailEssentials/pages/MailSecurity/uridnsblocklist.aspx' ''API endpoint''. This injected code is saved and then displayed within the management interface, enabling script execution with the permissions of the logged-in user.

Recommendations Update GFI MailEssentials AI to version 22.4 or later.